Digging into "Multiplayer Secure Chat Signing"

[yushijinhun]

Introduction

In 22w17a, Mojang introduced the "Multiplayer Secure Chat Signing" feature. According to the release notes:

This is the first step in a process to provide more security and player safety features for in-game chat. We'd love to hear your thoughts, but keep in mind that many features such as server-driven styling of chat messages are still missing.

• Chat messages between players are now cryptographically signed
• Players are given a Mojang provided key-pair on startup
• Servers can require players to have a Mojang-signed public key by setting enforce-secure-profile=true in server.properties
  • Enforcing secure profiles will prevent players without a Mojang-signed public key from connecting
  • By default this is set to false, allowing players to connect without a Mojang-signed public key
• Chat styling is now handled via server resource packs with the translation key chat.type.text

Implementation details

Key pair retrieval

To retrieve the user's signing key pair, Minecraft sends a POST request to https://api.minecraftservices.com/player/certificates with the HTTP header Authorization: Bearer <access_token> and an empty request body.

The response is a JSON object containing the user's dedicated private & public key and Mojang's signature:

{
    "expiresAt": "2022-05-01T13:38:09.497008Z",
    "keyPair": {
        "privateKey": "-----BEGIN RSA PRIVATE KEY-----\nMIIEvg......\n-----END RSA PRIVATE KEY-----\n",
        "publicKey": "-----BEGIN RSA PUBLIC KEY-----\nMIIBIj......\n-----END RSA PUBLIC KEY-----\n"
    },
    "publicKeySignature": "peXfls......",
    "refreshedAfter": "2022-05-01T05:38:09.497008Z"
}

publicKeySignature is a signaure of the following text:

expiresAt.toEpochMilli() + keyPair.publicKey

.toEpochMilli() converts this timestamp to the number of milliseconds from the epoch of 1970-01-01T00:00:00Z.

The signing public key can be found in the file yggdrasil_session_pubkey.der of authlib-3.4.40.jar. The signature algorithm is SHA1withRSA.

After retrieval, the key pair is stored in .minecraft/profilekeys (e.g. .minecraft/profilekeys/4214aad9-5983-457f-aa37-11bb06057270.json).

Key pair retrieval is done on Minecraft startup (in a separate thread). Once retrieved, Minecraft uses the cached key pair until it's time to refresh it.

Login

When a player joins a Minecraft server, its signing public key is sent to the server.

The new process of joining a server:

1. C->S: Handshake, intention=LOGIN
2. C->S: Login Start, player name + signing public key
   • The signing public key is optional. This part is missing if the client fails to retrieve the player's signing key.
   • If enforce-secure-profile is set to true and the signing public key is missing, the server will disconnect the client.
   • If the signing public key is invalid or expired, or Mojang's signature is invalid, the server will disconnect the client.
3. S->C: Encryption Key Request, server id + server's public key + nonce
   • The nonce is used as a challenge to check whether the client has the corresponding signing private key.
4. C->Mojang: POST https://sessionserver.mojang.com/session/minecraft/join
5. C->S: Encryption Key Response, encrypted shared secret + signature of nonce with salt
   • The salted nonce is signed with the player's signing key.
   • If the player doesn't have a signing key, the encrypted nonce is sent instead. (old behavior)
   • The server will verify the signature, and disconnect the client if it's invalid.
6. S->Mojang: GET https://sessionserver.mojang.com/session/minecraft/hasJoined
7. Mojang->S: Player's profile

Key distribution

After login, the server puts a publicKey property into the player's profile, and distribute it to other players:

• Name: publicKey
• Value: expiresAt.toEpochMilli() + keyPair.publicKey
• Signature: Mojang's signature of the public key

When the client receives other players' signing public keys, it will check the validity of the key.

Signing

Each chat message sent to the server is signed with the player's signing key.

When signing, the client creates the signature in the following approach:

Offset	Length	Type	Content
0	8	int64_be	Salt
8	16	uuid_be	UUID of the player
24	8	int64_be	Epoch seconds of current time
32	variant	utf8	Chat text

The signature and the salt is sent to the server along with the chat message, and the server forwards them to receivers.

Note that the server doesn't check whether the chat message signature is valid.

Verifying

When the client receives a chat message from other players, it verifies the message's signature, and logs a warning if it's invalid.

See also

• https://gist.github.com/kennytv/ed783dd244ca0321bbd882c347892874